Sony digital boss - rootkit ignorance is bliss --The Register

But IT Depts beg to differ
By Andrew Orlowski in San Francisco
Published Wednesday 9th November 2005 01:45 GMT


The President of Sony BMG's global digital business division Thomas Hesse has weighed into the storm over the 'rootkit'-style copy restriction software introduced on some recent audio CDs.

Sony's software installs itself by stealth, conceals itself, then intercepts low level Windows systems calls. Removing it causes the CD drive to be rendered inoperable. The only cure is to reformat the disk and reinstall Windows.

What responsibility did Hesse feel for the havoc his CDs had caused?

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" he huffed.

I think we can take that as: "No responsibility at all."

(Hesse made his comments on NPR radio on Friday - you can hear them here, 1m:50s into the short report.)

But IT departments beg to differ.

A support manager at an IT department in a medium sized corporation told us that a CD-borne infection of Sony DRM is already causing his team headaches.

A major antivirus vendor diagnosed the problem as a nasty case of DRM, he told us, but the problem didn't end there. The Sony 'root kit' causes the antivirus software to go haywire, popping up alerts at the rate of one a second.

Three systems have so far been flattened, he said. The original culprit was a Van Zant CD - from Sony BMG.

And it gets worse.

On Sunday Mark Russinovich of Sysinternals.com, whose forensics last week identified the DRM as a 'rootkit' style infection, has been taking a look at the patch subsequently issued by First4Internet, the British company which wrote the crippleware.

All the patch does is force XP to issue Windows commands (eg, "net stop") that disable the driver. Because XP is a multithreaded OS, this is a brute force procedure that can cause the system to crash if resources are in contention.

Russinovich also notes that the Sony DRM software still contains vulnerabilities that expose a system to a potential blue screen of death. Instead of exiting gracefully and returning standard Windows system errors, the DRM exits disgracefully.

Which, we suggest, is exactly what Sony's Herr Hesse should be considering right now.

Have you had problems with Sony in your IT support department? Write and let us know. ®

I guess Sony is just trying to give Sen. Orrin Hatch his wish of "blowing-up" your computer.

May crashes and blue screens haunt the Microsoft operating systems of those who purchase RIAA media!
(I know, ShadowMom will be tempted to think of that remark as being ugly. Oh, well. I'm not here to curry favors or win popularity contests.)

And they wonder why no one is buying CDs at the moment.

You know, I work in retail and I know that if you treat your customer this way, they'll get really, REALLY pissed. I mean, pissed to the point that your manager has no choice but to either write you up or fire you.

So, Mr. Hesse, as one of the people who, in the past, has paid for your expensive Ferrari: YOU'RE FIRED!!!

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Most people don't know how to use a lockpick, but you should still call the police if you find someone using one on your front door.

How many years has the RIAA spent with their "education" program? Now they expect everyone to be stupid again.

Damn straight, George (and NiceGuy)!
_ _ _ _ _

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" Hesse huffed.

Uh, Hesse, maybe most people don't know what a rootkit is, but they damn sure care about crashes or blue screens -- or perhaps even worse, having to face their system being hacked into through a hole caused by hostile invasive software that your company was dorky enough to risk antagonizing part of its consumer base with.

Mr. Executive Hotshot, are you trying to imply that users are losers if they unwittingly find themselves falling victims to your company's utilization of misguided malware? Hmm?
(How condescending can you get?)

Common sense would have to go with gdZiemann's analogy.
Hesse needs to wake up, smell the coffee, and join the real world. Just because someone doesn't understand the intricacies of a devious technology doesn't mean they don't care about the consequences of it impacting their personal computer! Sheesh! I almost can't believe someone in such a high corporate position could talk so stupidly!!
Just taking this digital honcho at his words, Hesse has GOT to be either some sort of lamebrain or some sort of callous cad, one or the other; there's no getting around it, folks.
(My money is on Hesse being a horse's ass rather than an ignoramus.)

To state the obvious:
1) His company got caught with its hands in the mud, and they're pissed about the fallout from the negative P.R.
2) Sony is sorry about getting caught instead of sorry about what they've done.
3) A crappy company like this deserves vigorous boycotting of ALL its products.

". . . what Sony's Herr Hesse should be considering right now" (is helping rather than hindering).

Critics could rightfully view this debacle's aftermath as being yet another instance of counterproductive arrogance displayed by RIAA-affiliated multinational corporations.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

The sheer idiocy of this statement should be enough to get this moron fired.

Most people don't even know what a buffer overflow exploit is so why should they care about it. Tell that to the millions of users and administrators who wrestled with CodeRed, Nimda and the rest of the malware shit while their computer systems were down.

Just wait for some script kiddie to come along and propagate $sys$fdisk.exe and watch every user who has inserted a Sony BMG CD bluescreen and be forced to reinstall Windows. Just wait for the backlash when all your 'consumers' lose all their data and realize Sony was the cause.

Just wait for the HUGE customer dissatisfaction that plummets Sony sales into the dumpster.

But then what does Sony know about customer satisfaction and why should they care about it?

Most people DO know what a class action lawsuit is though so maybe YOU should care about it. Douchebag.

http://www.eff.org/deeplinks/archives/004149.php

The nature of a rootkit is such that many problems it caused will never be fully diagnosed. I repair computers frequently - If I find one mysteriously unstable and still havn't found any reason after four hours, I usually just back up everything and reformat.

So maybe the attourney filing this case needs to seek damages for people who have had to take their computer in for repairs.

This entire scheme to put DRM on a CD was so idiotic that I'm surprised a person with any kind of intelligence would have even attempted it to begin with. Locking a CD that has to be backwards compatible with the millions upon millions of "retro" CD players is impossible. The only way I could envisage limiting the numbers of copies that could be made from a CD is by writing data to the CD itself and that isn't going to happen.

Someone at Sony had the bright idea that they could conscript your PC to keep track of your usage of that CD. If they would have made a simple program that could be easily removed then people could just remove the program resetting the usage settings. Had Sony just done this I'm sure a huge percentage of their CD users, users who may not even know how to remove a program, would have honored their restrictions albeit "voluntarily."

The so called "hackers" or people who would want to rip their CDs that inspired Sony to bury their program deep into everyone's system don't rely on Windows standard programs anyway. Certain rippers can still see the tracks on these CDs. Linux and Mac users play unrestricted. What was the point of this DRM and why didn't anyone bring this up at the meetings used to decide this? Granted First4Internet had incentive to oversell their product using fancy powerpoint presentations but doesn't anyone at Sony know how computers function and how this scheme doesn't work and can never ever work?

These CD manufacturers have to surrender the old fashioned CD that play on old fashioned CD players and focus their energy to get their DRM on the next generation of CD (whatever that is). What surprises me about this entire debacle is how a company like Sony that makes such technologically advanced systems could fall for that First4Internet salespitch. As an investor I'd be asking where are the Quality Control corporate processes in place to prevent something like this from happening? Sure copying may be hitting the bottom line but in any product in any technology, the cash cow phase only lasts so long and it makes more sense to R&D the next technology to replace your cash cow than to try and polish the turd so to speak.

Here's a link to Fred von Lohmann's first interpretation of Sony-BMG's EULA at the EFF site:

Now the Legalese Rootkit: Sony-BMG's EULA

If you don't agree to Microsoft's EULA for Windows, you can return it for a refund. Does that mean these CDs can be returned for a refund if the purchaser doesn't agree? It should. After all, Sony has made the disc more like a software CD than a music CD. Take 'em back! Demand a refund!

This gets even more unbelievable. I can't believe they aren't just taking responsibility. I mean, they got busted. The worst thing you can do is still deny that it is a problem. Its almost as bad as suing your customers...

"I can't believe they aren't taking responsibility. I mean, they got found out. The worst thing you can do is still deny that it is a problem. It's almost as bad as suing your customers..."

That makes them even worse than politicians.
(Politicians don't sue their constituents.)

"Sony digital boss - rootkit ignorance is bliss."

Memo to Sony digital boss: You WISH that most everybody would stay 'blissfully' ignorant about your company's crap, but it ain't gonna happen, buster.

I wonder if the Record Executives at Sony use this product that they are so proud of? Hahaha!